DE 198 12 215 A1 discloses a method for preventing monitoring at the radio interface of a mobile radio network, a mobile station exhibiting an operating mode, which can be switched on by the subscriber, in which a connection is aborted if the received identification permits the connections with unencrypted information.
In unencrypted connections in mobile radio systems and, in particular, in packet-type mobile radio systems such as, for example, GPRS or UMTS-PO, a so-called “hijacking” attacks occur in which an intruder infiltrates his own file or data packets into someone else's connection and thus becomes a parasite on radio resources which are paid by regular users. Possibilities of such attacks exist, for example, when a regular user accesses data services such as, for example, those of an Internet provider or announcement services which frequently charge high tariffs. An attacker who successfully infiltrates such a connection can also access the services and continue the access when the regular user believes that the connection is terminated. The regular user is then charged with the due fees. If the usage fees are not calculated from the duration of a connection but from the number of files transferred, the attacker can mix his file in with a file of the user. Users can be especially susceptible to attacks on on-line payment traffic. An attacker could succeed in triggering disadvantageous payment processes unnoticed by a user. An effective countermeasure against such misuse is the use of encryption techniques.
As a protection, the familiar GSM network provides the terminal and the network with the possibility of setting up an encrypted connection and selecting an encryption technique supported by both ends during the setting up of the connection.
In the familiar GSM network, the terminal informs the base station of the encryption techniques supported by the terminal. The base station then selects one which is supported by the base station itself for preparing an encrypted connection in an early phase of the setting up of the connection even before the authentication (authentication and key agreement between terminal and base station). The designation of this encryption technique is transmitted back to the terminal and the transmission begins by using the encryption mechanism thus specified.
However, this negotiation about an encryption technique is not secure if active attacks on the interface are taken into consideration. The network is not able to check whether the information about the encryption techniques supported by the terminal which is received by it has actually been sent by the terminal and the terminal is also not sure that the network has received the correct information.
This approach normally used in the GSM network is also applied in the UMTS system. In this system, techniques for integrity protection are additionally used which enable a receiver to recognize whether the data received by him actually come from an assumed transmitter or whether they have been corrupted by a third party.
When a connection is set up in the UMTS system, both the encryption and the integrity protection techniques supported by the terminal are statically stored in it and are transmitted to the serving mobile radio network in an early phase of the connection setup. The serving mobile radio network selects an encryption technique and an integrity protection technique which is also supported by itself, starts the integrity protection and sends designations of the selected techniques to the terminal. Together with the selected encryption and integrity protection technique, the network reports the techniques received by it back to the terminal. When it receives this information, the terminal checks the completeness of the received message and compares the encryption and integrity protection techniques transmitted to the network with those reported back from there in order to detect by this means a possible corruption of the messages exchanged. When the terminal has acknowledged the reception, the encryption can begin. If the network does not select an encryption technique but the “unencrypted” mode of operation, the terminal can reject the connection.
Such a procedure is not problematic as long as the terminal is located within the area of its home network because it can be ensured that the terminal and the network have at least one common encryption mode. Hence, cases where a connection intended by the user of the device cannot be encrypted do not occur. It is, therefore, obvious and has already been proposed as a standard to use terminals which reject unencrypted connections right away. If all users are equipped with such terminals, it will scarcely be possible for an intruder to take control of an existing connection and to infiltrate his own data into it in such a manner that they can trigger intended reactions in the network.
A critical disadvantage of this approach is, however, that it raises problems in its application when the serving mobile radio network is not also the home network of the terminal. This is because the use of encryption techniques in mobile radio is not permissible in all countries. Moreover, these techniques are partly subject to export restrictions so that they cannot be used in some countries where they would possibly be permissible in accordance with the national law because the export to these countries is subject to sanctions.
Thus, terminals which only allow encrypted connections could not be used in a large number of countries and would, therefore, be unattractive for the users.
Although it is also conceivable that a terminal offers to the serving network not only the supported encryption techniques but also the option to operate a connection unencrypted during the connection setup. Although this would possibly extend the geographic area where the devices can be used but it would be at the cost of security. This is because in this case the desired protection would no longer be effective since an attacker would have the possibility of pretending to the terminal that he is the base station of the serving network and instruct the terminal to leave the connection unencrypted.